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Trends in Application 
Security 


Web app breaches continue 
E-commerce sites targeted 
API attacks 
Trends in AppSec testing 
Shifting left 
Coverage 


Automation 


Breaches 
Web Applications 


Miscellaneous Errors 


Privilege Misuse 


O 


yber-Espionage 


Everything Else 


Crimeware 
Lost and Stolen Assets 


Point of Sale 


Source: 2019 Verizon 
DBIR 


© Qualys. 


Web Application 


Scanning 


WAS Overview 


Detects application-layer vulnerabilities in 
web apps & APIs 


Browser engine 

Automated crawling 

Play back of Selenium scripts 

API to integrate with other systems 
Unique integration with Qualys WAF 


Mature product 
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2019 Highlights 


Custom scan intensity 

WAS Jenkins plugin v2 

Updated Qualys Browser Recorder 
TES 1-3 

Full HTTP requests 

Enhanced crawling 

Postman Collections 


WAS Burp extension v2 
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WAS Roadmap 


: Q1 * 
2019 : 2020 


Beta of new 
dashboard 
OpenAPI v3 support 


Bamboo plugin 


December 


Out-of-band 
vulnerability 
detections 
(“Periscope”) 


Configurable QID 
severity 


Q2 * 


App discovery / catalog 
enhancements 


Subresource integrity (SRI) 
Exclude certain HTTP verbs 


* Tentative 
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Out-of-Band Vulnerabilities 


Some issues can't be detected by traditional request-response 
e.g. 


S S R F Attacker VulnerableApplication TargetedApplication 


SMTP header injection — 
Blind XXE injection 


Request (HTTP, FTP...) 


Detecting these vulnerabilities 
requires a different approach aa rn | 


Source: 
OWASP 
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Introducing Periscope 


Detection mechanism for out-of-band web app vulnerabilities 


Scanner sends a test; POST request body is: 
p1=joe&p2=smith&p3=http%3A%2F%2Fe528efddaa51766cb86afb19f22de54b6da1093c.1454156_35626.2086421852.ssrf01. 


ssrf.qualysperiscope.com 


The web app tries to resolve this FQDN: 
e528efddaa51766cb86afb19f22de54b6da1093c.1454156_35626.2086421852.ssrf01.ssrf.qualysperiscope.com 
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Qualys Periscope 


3. Request with OOB 


payload 
2.WAS receives 
i. Uniqueld 
ii. WOOWS url 
iii. Domain name 8. WS Response 4. 
Vulnerable app 
7. WAS makes external 
requests WS request 
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KAFKA CLUSTER 
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Building Secure APIs 


OWASP API Security 
Top 10 (RC) 


Broken Object Level Authorization (BOLA) 
Broken Authentication 

Excessive Data Exposure 

Lack of Resources & Rate Limiting 

Broken Function Level Authorization 


Mass Assignment 


Security Misconfiguration 


OWASP 


The Open Web Application 
Security Project 


Injection 


Improver Assets Management 


oo o NN o ur Ah “wen = 


Insufficient Logging € Monitoring 


un 


Example API - Pet Store 


pet Everything about your Pets 


=> /pet/(petId) Find pet by ID o 
/pet/{petId} Updates a pet in the store with form data a 
/pet/{petId} Deletes a pet a 
/pet/(petId)/uploadImage uploads an image a 


POST /pet Add a new pet to the store 


/pet Update an existing pet a 
/pet/findByStatus Finds Pets by status a 
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Relevant 
portion of 
the Swagger 
File 


"swagger": "2.0", 


infos El 
"version": "10", 
"title": "Petstore", 
}, 

"host": "api.petstore.com", 


"basePath": "/v1", 
"schemes": [ 
"http" 7 "https" 


l, 
"paths": { 


" O { 
"get" o { 
"summary": "Get info for a specific pet", 
"operationId": "showPetById", 
"parameters": [ 
{ 
"name": "petld", 
" in" O "path" > 
"required": true, 
"description": "The ID of the pet to retrieve", 
"type": "integer" 
} 
1, 
"responses": { 
12 008: 
"description": "Expected successful response", 
"schema": 
"Sref": "#/definitions/Pet" 
} 


ee SILL 
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How Does this Help with Security? 


We can leverage the Swagger spec to harden the API endpoints 
in a declarative way 


"paths": { "paths": { 
"/pet/{petId}": { "/pet/{petId}": { 
"get": { “ger 
"summary": "Get info for a specific pet", "summary": "Get info for a specific pet", 
"operationId": "showPetById", "operationId": "showPetById", 
"parameters": [ "parameters": [ 
( { 
"name": "petld", => "name": "petld", 
Mine bathu, ins path; 
"required": true, "required": true, 
"description": "The ID of the pet", "description": "The ID of the pet", 
"type": "integer" "type": "integer", 
} 
1, "maximum": 999999 
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Capabilities Coming 
to Qualys API Security 


Static Assessment of Swagger/OpenAPI file 
Get recommended changes to harden your API 


Conformance Scan to check the API's actual | 


behavior 
Test the API endpoints for behavior that violates 
the Swagger file 


Vulnerability Scan to check the API for 
security flaws 


Current feature in Qualys Web Application 
Scanning (WAS) 
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